I recently received this question from a potential client who was looking to signup with Forensic Notes… (and eventually did).
“Is the cloud safe?”
Actually, he was a bit more direct stating “I will never put my data in the cloud”.
But I understood this strong statement to really be a question about cloud safety and if his businesses’ data would be safe in the cloud.
There are a lot of misconceptions around the cloud and how data is stored.
The problem with the term ‘cloud storage’ is that people believe that once data is uploaded to the cloud, it is available for everyone to see and share, but this couldn’t be further from the truth.
Others believe that if data is in the cloud, it is stored everywhere and therefore has a higher chance of being stolen.
As I will explain, both of these beliefs are incorrect. But given the marketing literature around the cloud, it is understandable for those of you that think this way.
Hopefully, I will be able to explain what the cloud is, why it can be the most secure place to store data and why many IT departments are against the idea of storing data in the cloud.
I will also explain situations where the cloud may not be suitable. Sometimes an On-Premises solution is your best option.
So, let’s get started.
Concerns with Cloud Storage
What are your concerns regarding cloud storage?
This was one of the first questions I asked since I wanted to fully understand the fears this client had and what was forming his opinions of the cloud.
His response was pretty simple…
“I just don’t trust the cloud and I want my data stored in my network.”
I thought this was a fair answer, but also showed he didn’t really understand that the cloud is simply a server hosted at a physical location and that for many businesses, it is a lot safer than your local computer network.
The reality is that if your organization is on the internet, then your data is already potentially accessible from the internet. For many organizations, it just takes an improperly setup firewall to give outsiders access to all your files.
What is Cloud Storage?
Cloud storage, in simple terms, is a server that is hosted in a physical location and accessible via the internet.
The main cloud providers are Amazon Web Services (AWS), Microsoft Azure, IBM Cloud and Google Cloud.
But why is Amazon, Microsoft, IBM and Google investing their future in providing cloud services?
Because this is going to be a huge revenue stream for all four companies in the future.
By the end of 2018, Microsoft is expected to generate over $7 Billion in the quarter from its cloud service division. This is for a single quarter with revenue growing consistently quarter over quarter. For Microsoft, this equates to roughly 20-25% of their overall revenue.
By the end of 2019, this could be a $30+ Billion per year service for Microsoft.
As a result, Microsoft invests over $1 Billion in its Cybersecurity to secure the MS Azure network which Forensic Notes utilizes.
Why do they invest so much money in Cybersecurity?
Because they know that if client information is ever stolen as a result of their mistake, this would cause trust to quickly diminish and therefore lower future revenues.
Not only does Microsoft spend $1+ Billion a year on cybersecurity for MS Azure, but they also design the software that the majority of businesses use. As a result, they literally have access to the operating systems source code which your application runs on in the cloud. Not only this, but they have direct access to the engineers of the software should an issue arise.
As more corporations and governments move toward the cloud, the revenue generated from cloud services will make up a larger percentage of the overall revenue for Microsoft, Amazon and other cloud storage providers.
Compare this with the expertise in your IT Department and the amount your company will be spending on cybersecurity and hardware upgrades this year.
I’m not suggesting that you don’t have an amazing IT Department, but let’s be honest for a minute.
If your network engineers were the best in the industry, then don’t you think they would be working for one of the major IT companies?
The internet has allowed us to have access to experts in every field through online chats, videos and articles. The cloud gives us access to IT experts to help manage our networks and applications giving you better security than you can have on your own.
Then I assume you are either personally running the servers and network or working for a truly amazing company with a top-notch IT Department.
If this is the case, then an On-Premises solution may be your best option. But as we will discuss below, security of your data is one reason to move to the cloud, the other is the availability of software.
More and more software companies are moving their applications to the cloud with less developed for On-Premises use.
If you are considering a cloud application, then you next question should be…
“Is the cloud application secure?”
Cloud Application Security
The security of the cloud application you are considering must be analyzed to ensure that your data will be secure within the cloud.
Not all applications are created equal and just because you trust Microsoft or Amazon to store your data and application, this does not mean that the actual application is secure.
One of the main things to consider is if the SaaS vendor is open about their security.
- Is the data encrypted?
- What additional security steps do they take to secure your data?
- Who runs the company? Can they be trusted?
Un-encrypted or improperly encrypted data either stored in the cloud or within your network could result in civil lawsuits if that data is ever exposed. You want to be sure steps have been taken to properly encrypt and secure the data.
If the SaaS Vendor is not open about how they secure your data and unwilling to answer security related questions, then I would avoid such as service. Remember, if they provide ‘marketing terms’ to discuss their security, then you are not getting the answers you need.
Don’t accept “We use military grade encryption” if they are unwilling to provide further details on what that means.
In comparison, we are fully open about how we secure your data at Forensic Notes as detailed on our Security & Data Encryption page. We are also open to any emails asking for additional information on how we secure our clients information.
If you have concerns about the security of the SaaS application you are considering, then I would look for a different service.
Security of your data should be your number one priority when looking at potential software applications and vendors.
Software Applications: Does an On-Premises Option Exist?
“I still don’t want to put my data in the cloud!”
If you still don’t want to put your data in the cloud or haven’t found a SaaS vendor that you trust, then you have to determine if the software you want to use is available for On-Premises installation.
In the past, this was common and the only way to purchase software. However, over the past few years, the majority of software vendors have moved their applications towards cloud services (SaaS = Software as a Service).
As a result, it may be difficult to find software for your organization that is:
- Priced appropriately
One of the first questions when looking at On-Premises software is to determine if the application is current. If the application has been recently developed or updated, then you must determine if the software vendor will continue to update the software in the future to fix bugs and provide feature enhancements.
If this is a considerable investment for your organization, then I would also look to see if you can sign agreements to put the source code of the application in escrow should the company close or fail to provide future updates.
A software escrow is something that we would agree to as discussed here for our larger clients.
If you can’t find any On-Premises software that meets your needs and is currently updated, then this may force you back into a cloud application (SaaS).
Deciding to go with an older application that won’t be updated will likely have major security issues and bugs which could cause major issues to your organization.
Let’s be honest, if the software was any good, they would be continuing to update it.
Don’t trust your data to an outdated system that is no longer updated.
The next item to consider when looking at On-Premises is security.
- How is the data encrypted?
- How will it be secured within your environment?
- Will the system be air-gapped on its own network or accessible from all computers, which likely has internet access?
Once again, you will want to check out the software vendors site to see what type of security they use to secure your data within their application or contact them personally to ask questions.
I hate to say this, but top cybersecurity experts agree, it is not “IF”, but “WHEN” you get breached as an organization.
And breaches don’t always come from the outside, many breaches occur internally. If an employee had access to your servers, could they download all the data stored in the application un-encrypted?
This is why data encryption is so important.
A properly developed and secured application will make it very difficult to obtain all the data and encryption keys required to decrypt the data.
You found On-Premises software that is current and secure, but is it affordable?
A lot of current On-Premises software is developed for larger organizations and enterprises. If you are a small or medium sized business, the cost to purchase, setup and implement may be beyond your current budget. This is what makes SaaS software so attractive as the monthly costs are usually low compared to purchasing On-Premises.
The reality is that many software vendors don’t want to bother with smaller companies and therefore set their prices to only attract large organizations.
At Forensic Notes, we are committed to the smaller organizations for our On-Premises software as many of our clients are government agencies with limited budgets.
Before committing to an On-Premises application, make sure you find out the final cost to ensure it fits within your budget.
IT Department is Against using the Cloud
This is common among IT departments, especially if the employees are well established and have been within the organizations for a while.
Why is this the case?
Well, as stated above, you may work for an amazing organization that employs some of the best IT members. Your organization may also have specific needs that require On-Premises solutions.
Others may have an IT department that doesn’t like change or want to give up work as they believe it could lead to less job opportunities in the future.
In theory, the cloud allows organizations to outsource their IT services, but in reality, it simply requires that IT personnel retrain to understand the cloud and how they can work with the cloud provider to provide the most secure network they can for the organization.
Most people fear change. Your IT department is no different.
Cloud Security: Making Your Cloud Application More Secure
There are additional ways to make your cloud applications more secure depending on the options provided by the SaaS provider.
As mentioned previously, by deciding to host your data or application in the cloud, you are simply storing the data on a physical server hosted at a physical location. This is very similar to your organization connecting with another office location or allowing remote access to your systems, except…
The connection is not going through a private Virtual Private Network (VPN).
Cloud applications by default are accessible to anyone with the correct URL and login credentials. If the application thinks about security, it will also incorporate additional security systems like Multifactor Authentication (MFA) or hardware tokens to ensure only authorized users gain access to your application.
To make this setup more secure, you can incorporate a VPN from your office location to the cloud servers. This essentially takes your application off the internet and only makes it available to users accessing the application from your office location.
This is how networking works for organizations with multiple locations.
Depending on the setup, this will likely result in additional costs associated with the application both for setup and ongoing maintenance.
Is the cloud safe?
Yes, and I hope I showed you why. But you still need to do your research and determine if the SaaS vendor you are choosing has developed an application with security in mind.
In our case, the client who stated “I will never put my data in the cloud” happily signed up with Forensic Notes to utilize our SaaS cloud application for his organization after I was able to show him that his data would be secure.
For some organizations, On-Premises may make sense. Not only for the reasons outlined above, but it also depends on the type of data being stored.
Police departments deal with sensitive information and as a result normally work on secure air-gapped networks that don’t have access to the internet. This is where our On-Premises and Hybrid solution come in handy.
As always, if you have any questions about Forensic Notes and how we secure our clients data, please don’t hesitate to contact me directly at Robert@forensicnotes.com
If you found this article useful, please share via Social Media.
And if you think it could be improved in any way, please let me know.